How to setup replication on apache directory server - apache

I have 2 apacheds services running on workstation (Windows 7). One of the service runs as a windows service and the other one I am running from its jar file from command line using
java -jar "C:\Program Files (x86)\ApacheDS - Instance2\lib\apacheds-service-2.0.0-M15.jar" "C:\Program Files (x86)\ApacheDS - Instance2\instances\instance2"
The first apacheds installation is at location C:\Program Files (x86)\ApacheDS and it runs on 10389. The second service runs on port 11389.
Using apache directory studio I can connect to both these instances/services running on my workstation and there are no errors on console.
By using the following ldif file I have imported setting for Instance 1 which will be the master
dn: ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
changetype: modify
add: ads-replReqHandler
ads-replReqHandler: org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler
Then I have also imported following ldif file to Instance 1/master -
dn: ads-replConsumerId=1,ou=replConsumers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
changetype: add
ads-replRefreshNPersist: TRUE
ads-replAliasDerefMode: never
ads-replProvPort: 10389
ads-replSearchSizeLimit: 0
ads-replProvHostName: localhost
objectClass: ads-replConsumer
objectClass: ads-base
ads-replUserDn: uid=admin, ou=system
ads-replRefreshInterval: 60000
ads-replUserPassword: secret
ads-replConsumerId: 1
ads-replAttributes: *
ads-replSearchTimeOut: 0
ads-replSearchScope: sub
ads-replSearchFilter: (objectClass=*)
ads-searchBaseDN: ou=system
I added a few users under ou=users, ou=system on the master but nothing gets replicated on the slave. There is no evidence on the consoles of either instances that these two instances are trying to talk and hence I think this is not the right configuration or incomplete configuration as there is nothing I could find on apacheds documentation that needs to be added as part of the consumer configuration on Instance2/Slave. Am I missing something ?
Thanks !

There was some bug in apacheds 2.0 - M15 Version regarding replication. That bug has been rectified already and the fix will be in M16. I built 2 separate instances from apacheds svn trunk and built the installers and ran 2 separate instances. Added following settings/config on the Provider/Master (Running on Port 10389) -
dn: ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
changetype: modify
add: ads-replReqHandler
ads-replReqHandler: org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler
Added following config to the consumer/slave instance (Running on 11389) -
dn: ads-replConsumerId=1,ou=replConsumers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
changetype: add
ads-replRefreshNPersist: TRUE
ads-replAliasDerefMode: never
ads-replProvPort: 10389
ads-replSearchSizeLimit: 0
ads-replProvHostName: localhost
objectClass: ads-replConsumer
objectClass: ads-base
ads-replUserDn: uid=admin, ou=system
ads-replRefreshInterval: 60000
ads-replUserPassword: secret
ads-replConsumerId: 1
ads-replAttributes: *
ads-replSearchTimeOut: 0
ads-replSearchScope: sub
ads-replSearchFilter: (objectClass=*)
ads-searchBaseDN: ou=system
Restarted both instances and tried adding an entry under Provider and Wow ! it got replicated to the consumer.
Though the configuration I have posted in the question is incorrect, couple of confusing things led to that configuration.
Lack of clear documentation on apacheds website.
Apache ds studio - When you create a connection in apache ds studio to connect to a apacheds service, you can right click on the connection and open its configuration (Which is stored under ou=config. Its basically a GUI for ou=config). When you click on the last tab 'Replication'. The title reads 'All Replication Consumers' with a 'Add' button placed on the right. This is misleading as it gives the user an impression that one needs to add consumer/slave details here and this config should lie on the master/provider side.

Related

Error while importing LDIF file in Apache Directory Studio

I'm connected to my LDAP connection.
I'm trying to import an LDIF file to it by right clicking and using the wizard.
As I choose the file, check the overwrite option and press OK,
I get the following error:
Error while importing LDIF
javax.naming.NameAlreadyBoundException:
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1359)
And this appears in the Modification Logs tab:
#!RESULT ERROR
#!CONNECTION ldap://192.168.99.100:389
#!DATE 2018-01-24T11:01:17.743
#!ERROR
dn: dc=mycompany,dc=net
changetype: add
dc: mycompany
objectclass: dcObject
objectclass: organization
o: mycompany.net
I tried googling around with the error but can't find anything on this particular matter.
Also, as I choose the LDIF-file, even after uninstalling and reinstalling the program, it warns already upon selecting the LDIF-file that "selected logfile already exists".
The description of javax.naming.NameAlreadyBoundException sounds like this is a weird name for the LDAP result code entryAlreadyExists(68) returned when processing the LDAP Add Operation.
It means just that: An LDAP entry with this DN already exists. You cannot add a second one with the same DN.

LDAPMODIFY - LDIF format for modifying DNs of computer objects

I'd like to write a ldapmodify command and pass in a ldif file to move computers to a new OU. This means I need to change the DNs.
Example:
CN=joesworkstation,OU=training,OU=computers,DC=my,DC=domain,DC=com
to
CN=joesworkstation,OU=laptops,DC=my,DC=domain,DC=com
The man ldif shows how to rename a CN for a user, but not changing a DN for a computer. Based on their example though, this is my ldif file format guess:
dn: CN=joesworkstation,OU=training,OU=computers,DC=my,DC=domain,DC=com
changetype: modify
replace: dn
dn: CN=joesworkstation,OU=laptops,DC=my,DC=domain,DC=com
deleteoldrdn: 1
Is this the most correct way to do this?
Depending on LDAP Server Implementation an LDIF should be something like:
dn: CN=joesworkstation,OU=training,OU=computers,DC=my,DC=domain,DC=com
changetype: moddn
newsuperior: OU=laptops,DC=my,DC=domain,DC=com
# remove old RDN entry
deleteoldrdn: 1
There could be restraints on such activities.
Perform due diligence.
There maybe better methods for Microsoft Active Directory.
-jim
I was able to get a solution to work finally today.
To update the DN of computer objects I used the following LDIF formatted file:
dn: CN=joesworkstation,OU=training,OU=computers,DC=my,DC=domain,DC=com
changetype: moddn
newrdn: joesworkstation
deleteoldrdn: 1
newsuperior: OU=laptops,DC=my,DC=domain,DC=com
This worked quite well and kept all the values of the attributes of the computer object in tact as well.

Two domain components of objectClass top

New to LDAP. Exported the DIT as an LDIF from Apache Studio. Tried to import the LDIF file. Error occurs:
...
#!ERROR [LDAP: error code 32 - Unable to add entry 'dc=example,dc=com' because its parent entry 'dc=com' does not exist in the server.]
dn: dc=example,dc=com
changetype: add
dc: example
objectClass: domain
objectClass: top
The LDAP server is UnboundID LDAP SDK for Java 3.2.0.
I don't know enough LDAP to fix it.
Should Apache Studio have created dc=com before this entry?
LDIF export does not guarentee ordering. LDIF import assumes ordering.
So to answer your question, yes, you should have created dc=com first.
There is a subtle exception where you can have a dc=example.com as a single node which looks confusing. But periods are legal in a name.

Adding new objectclass/attribute to existing ldap entry returns error

I have created 4 new attributes on cn=schema and also created a new objectclass with the 4 attributes set as MUST.
I tried to add the objectclass to existing entry which obviously return an error because those 4 new attributes are not setup for the ldap entry.
I created an ldif file and ran ldapmodify but get object violation error. Can anyone tellme whats causing this error and if I'm missing anything.
ldif
#ldapmodify.bat -h localhost -p 1389 -D "cn=Directory Manager" -w xxxxx -a -f entry.ldif
dn: uid=user.0,ou=People,dc=example,dc=com
changetype: modify
add: disabledFlag
disabledFlag: n
-
add: passwordData
passwordData:< file:/C:\\oud\\asinst_1\\OUD\\bat\\images.png
-
add: anonymousID
anonymousID: nah
-
add: challengeResponse
challengeResponse: nah
Error after executing the command.
Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
MODIFY operation failed
Result Code: 65 (Object Class Violation)
Additional Information: Entry uid=user.0,ou=People,dc=example,dc=com cannot not be modified because the resulting entry would have violated the server schema: Entry uid=user.0,ou=People,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute anonymousID which is not allowed by any of the objectclasses defined in that entry
LDAP installed is OUD 11gR2.
Finally able to solve the question myself.
This is what I did
Changed STRUCTURAL to ABSTRACT for the objectclass since there can be only one STRUCTURAL and updated objectclass to have MAY attributes instead of MUST.
used ldap port instead of admin port in the ldap modify command.
I still couldn't figure out why cant objectclass be created with MUST ? Is this chicken and egg kind of problem?

ApacheDS Multi Master config

I'm looking for some help with an ApacheDS Multi Master solution.
I'm new to the setting up LDAP solutions and so it's quite possible that I'm making some pretty basic errors.
I have two CentOS VM's running - LDAP1 and LDAP2. Each VM having a running ApacheDS solution.
LDAP1 is running ApacheDS on port 10389 and LDAP2 is running ApacheDS on port 10399.
I can connect to both servers using Apache Directory Studio with no problems and can see the default structures listed.
I have then imported the SevenSeas structure into LDAP1, and enabled DEBUG for both LDAP1 and LDAP2 for replication by uncommenting the
lines in /instances/default/conf/log4j.properties
log4j.logger.org.apache.directory.server.PROVIDER_LOG=DEBUG
log4j.logger.org.apache.directory.server.CONSUMER_LOG=DEBUG
I then attempt to create the MultiMaster config following this guide : http://joacim.breiler.com/apacheds/ch08s02.html
1) I enable the replication handler on LDAP1 by importing the following LDIF
dn: ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
changetype: modify
add: ads-replReqHandler
ads-replReqHandler: org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler
2) I then enable the replication handler on LDAP2 by importing the same LDIF as above
3) I then restart both LDAP1 and LDAP2 ApacheDS servers.
4) Once the server restarts I check the apacheDS.log and see the following entries ( on Both LDAP1 and LDAP2)
[08:41:28] DEBUG [org.apache.directory.server.PROVIDER_LOG] - initializing the syncrepl provider
[08:41:28] DEBUG [org.apache.directory.server.PROVIDER_LOG] - Starting the replication consumer manager
[08:41:28] DEBUG [org.apache.directory.server.PROVIDER_LOG] - no replica logs found to initialize
[08:41:28] DEBUG [org.apache.directory.server.PROVIDER_LOG] - syncrepl provider initialized successfully
5) I then import the following LDIF on LDAP2 (No Errors are generated)
dn: ads-replConsumerId=1,ou=replConsumers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
objectClass: ads-base
objectClass: ads-replConsumer
objectClass: top
ads-replAliasDerefMode: never
ads-replAttributes: *
ads-replConsumerId: 1
ads-replProvHostName: ldap1
ads-replProvPort: 10389
ads-replRefreshInterval: 60000
ads-replRefreshNPersist: true
ads-replSearchFilter: (objectClass=*)
ads-replSearchScope: sub
ads-replSearchSizeLimit: 0
ads-replSearchTimeOut: 0
ads-replUserDn: uid=admin,ou=system
ads-replUserPassword:: c2VjcmV0
ads-searchBaseDN: o=SevenSeas
6) I then import the following LDIF on LDAP1
dn: ads-replConsumerId=2,ou=replConsumers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
objectClass: ads-base
objectClass: ads-replConsumer
objectClass: top
ads-replAliasDerefMode: never
ads-replAttributes: *
ads-replConsumerId: 2
ads-replProvHostName: ldap2
ads-replProvPort: 10399
ads-replRefreshInterval: 60000
ads-replRefreshNPersist: true
ads-replSearchFilter: (objectClass=*)
ads-replSearchScope: sub
ads-replSearchSizeLimit: 0
ads-replSearchTimeOut: 0
ads-replUserDn: uid=admin,ou=system
ads-replUserPassword:: c2VjcmV0
ads-searchBaseDN: o=SevenSeas
7) I then attempt to restart LDAP1 and LDAP2 apacheDS servers and hit the following error on both servers. (Reported in ApacheDS.log
08:52:42] ERROR [org.apache.directory.server.config.ConfigPartitionReader] - An error occured while reading the configuration DN 'ou=replConsumers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config' for the objectClass 'ads-replConsumer':
ERR_04274 Can't find an OID for the name ads-base
[08:52:42] ERROR [org.apache.directory.server.UberjarMain] - Failed to start the service.
org.apache.directory.server.config.ConfigurationException: An error occured while reading the configuration DN 'ou=replConsumers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config' for the objectClass 'ads-replConsumer':
ERR_04274 Can't find an OID for the name ads-base
at org.apache.directory.server.config.ConfigPartitionReader.read(ConfigPartitionReader.java:641)
at org.apache.directory.server.config.ConfigPartitionReader.read(ConfigPartitionReader.java:600)
at org.apache.directory.server.config.ConfigPartitionReader.read(ConfigPartitionReader.java:600)
at org.apache.directory.server.config.ConfigPartitionReader.readConfig(ConfigPartitionReader.java:754)
at org.apache.directory.server.config.ConfigPartitionReader.readConfig(ConfigPartitionReader.java:718)
at org.apache.directory.server.config.ConfigPartitionReader.readConfig(ConfigPartitionReader.java:690)
at org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:177)
at org.apache.directory.server.UberjarMain.start(UberjarMain.java:76)
at org.apache.directory.server.UberjarMain.main(UberjarMain.java:54)
8) I then reverted the config to before the import to allow me to restart the servers
9) If I remove the following line from the LDIF used in point 5 / 6, I'm then able to start the servers.
objectClass: ads-base
10) The debug (on both LDAP1 and LDAP2) reflects that the the replication is working
[09:02:31] DEBUG [org.apache.directory.server.PROVIDER_LOG] - initializing the syncrepl provider
[09:02:31] DEBUG [org.apache.directory.server.PROVIDER_LOG] - Starting the replication consumer manager
[09:02:31] DEBUG [org.apache.directory.server.PROVIDER_LOG] - no replica logs found to initialize
[09:02:31] DEBUG [org.apache.directory.server.PROVIDER_LOG] - syncrepl provider initialized successfully
11) I then login to LDAP2 and do not see the partition o=SevenSeas - Which to me says the replication hasn't worked ? Have I missed a stage ?
UPDATE
I've been able to make some more progress on this. Whilst using the Apache Directory Studio tool - i stumbled on the Server configuration tabs (Right click on the LDAP connection). Amongst the tabs is a Replication tab.
This allows you to add consumers. On LDAP1 I added a consumer to point to LDAP2 and on LDAP2 I added a consumer to point to LDAP1, where the BASEDN was ou=system. The consumer ID appears to need to match the ID's given in point 5 /6.
I then restarted both the LDAP servers.
When the servers restarted I could see that they were talking to each other (via the debug). I made an edit to the ou_system partition on LDAP1 and this was replicated to LDAP2. I than made an edit to the ou=system partition on LDAP2 and this was replicated to LDAP1.
My issue is now that I cannot replicate other partitions - no matter what the BASE DN is in the consumer config.
I guess we started working on the same issue at the same time today. The replication to a custom partition seems to work when you set the cache to 1000 for the partition.